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Introduction 


The Information Commissioner’s Audit and Risk Committee (the 
Committee) provides scrutiny, oversight and assurance of risk control and 
governance procedures. Minutes of its meetings are available on the ICO’s 


website at www.ico.org.uk. 
Membership and attendance 


The Committee’s chair is Ailsa Beaton, who is a non-executive director 
and member of the Management Board. 


There are two other members of the Audit and Risk Committee: Jane 
McCall, who is a non-executive director and member of the Management 
Board; and Roger Barlow, who is an independent member. 


In 2020-21, the Committee met on 22 June 2020, 13 November 2020, 25 
January 2021, 26 April 2021 and 21 June 2021. This report was agreed at 
the Committee’s meeting on 21 June 2021. Attendance of members at 
Committee meetings is detailed in the ICO’s Annual Report and Accounts 
2020/21. Due to the COVID-19 pandemic, all meetings were held 
virtually. 


The ICO’s external audit function in 2020-21 was provided by the National 
Audit Office, with BDO working on their behalf. The ICO’s internal audit 
function in 2020/21 was provided by Mazars. Representatives of external 
audit and internal audit attended all of the meetings. 


Secretariat for the meetings was provided by the Corporate Governance 
Team. 


Meetings during 2020/21 


The Committee considers the following issues as standing items at all of 
its meetings: 


ə an update on current ICO issues from the Deputy Chief Executive 
Officer; 

G a review of the corporate risk register; 

o the most recent monthly finance report; 

° progress reports from the internal and external auditors; 

o discussion of audit reports and performance in clearing outstanding 
internal and external audit recommendations; 

° reports on any single-tender contract awards over £25k; and 


s updates on whether there have been any reported whistleblowing, 
fraud or security incidents, and details of these where appropriate. 


In addition, during the year the Committee considered the following 
matters: 


e the Annual Report & Accounts for 2019/20 and for 2020/21; 

° lessons learned from the production of the 2019/20 annual report; 

e the Arms-Length Bodies’ Audit Committee Chairs’ Assurance Letter to 
DCSM for 2019/20 and 2020/21; 

e an update on the ICO’s approach to risk management, and an annual 
review of the full risk register; 

° procurement of a new internal audit contract; 

e a deep dive into the arrangements that are in place to ensure the 
ICO’s compliance with all legislative requirements; 

o information on Board succession planning; 

e business continuity preparations; 

o delivery of the ICO’s service excellent programme; 

e the ICO’s response to the COVID-19 outbreak, including a deep dive 
into the new ways of working, both current and in the future, in 
response to the pandemic; 

° assurance on the ICO’s cyber security arrangements; and 

e options for developing a trust statement. 


Internal and external audit 


During the year, the Committee reviewed the audit plan and progress 
against it on a continual basis. The Committee considered internal audit 
reviews of: 


ə HR core controls; 

e Fees and income; 

° Business planning; 

° Relationship management; 

e High Profile Investigations 

° Information Governance; and 

° Investigations and Enforcement. 


In these audits, Mazars made 29 formal audit recommendations. There 
were also five audit recommendations from audits in 2019/20 which had 
not been due for completion during 2019/20. At year end, Mazars 
reviewed progress with these 34 recommendations, and confirmed that all 
25 which were due for completion during 2020/21 have been completed. 
Nine recommendations were not yet due for completion. 


Mazars also conducted an advisory audit of Business Continuity. 


Mazars’ Annual Internal Audit Report 2020/21 concluded that: “On the 
basis of our audit work, our opinion on the framework of governance, risk 
management, and control is Moderate in its overall adequacy and 
effectiveness. Some improvements are required to enhance the adequacy 
and effectiveness of the framework of governance, risk management and 
control. We highlighted weaknesses in the area of stakeholder 
management where two fundamental recommendations were made. We 
also noted good practice in other areas, including our audits of fees and 
income, information governance, and investigations and enforcement, 
which provided substantial assurance opinions. All matters have been 
discussed with management, to whom we have made recommendations. 
All of these have been, or are in the process of being addressed, as 
detailed in our individual reports.” 


“Moderate” is the second highest of the four ratings offered by Mazars 
(who provide annual report opinions of “substantial”, “moderate”, 
“limited” and “unsatisfactory”). “Moderate” is defined as “some 
improvements are required to enhance the adequacy and effectiveness of 
the framework of governance, risk management and control.” 


The National Audit Office Audit Completion Report 2020/21 concluded that 
“we anticipate recommending to the Comptroller and Auditor General that 
he should certify the 2020-21 financial statements with an unqualified 
audit opinion, without modification in respect of both regularity and the 
true and fair view on the group financial statements.” 


Audit and Risk Committee opinion 


Given the opinion of the internal auditors and external auditors as 
expressed in their annual reports, and the other information available to it 
from its work during the year, the Audit and Risk Committee can 
therefore provide the Commissioner, as Accounting Officer, with 
reasonable assurance that the ICO’s control mechanisms are working 
satisfactorily. 


The Committee is satisfied with the quality of internal and external audit. 
The Committee believes that, by virtue of this work, it is able to take a 
measured and diligent view of the quality of financial and other systems 
of reporting and control within the ICO. The Committee welcomed the 
ratings of substantial assurance in the audits for Information Governance, 
Fees and Income, and Investigations and Enforcement. The Committee is 
satisfied that the ICO has appropriate systems of internal control, which 
work well. 


In respect of its own performance the Committee considers that it has 
directed the internal audit function towards areas relevant to the risks 


facing the ICO. It has constructively challenged management and the 
internal audit function. It has received a high level of cooperation and 
support from all concerned. Responses to audit recommendations from 
management are positive and the Committee is satisfied that 
management within the ICO is committed to maintaining an appropriate 
level of internal control and prudent use of resources. 


This opinion feeds into the Commissioner’s drafting of the Governance 
Statement for 2020/21, which was considered by the Audit and Risk 
Committee at its April 2021 and June 2021 meetings. 


21 June 2021. 


